The Problem With Patching: 7 Top Complaints

Is your security team suffering from patching fatigue? Check out these tips and eliminate critical vulnerabilities in your IT environment.

A term that’s cropped up recently among IT managers is “patching fatigue,” referring to the overwhelming number of patches organizations need to keep their IT environment up-to-date and secure.

According to the 2016 IBM Security Report, which covers 18 years of patches, there are over 100,000 known vulnerabilities, which works out to around 5,000 a year per device. Only a few hundred would affect each device in a network at any time, but these security risks pile up quickly. Even with a small environment, that’s a monumental task. It’s no wonder “patch fatigue” has caught the attention of many IT departments.Tripwire recently conducted a survey of nearly 500 US-based IT professionals about their struggles to keep up with patching. Based on the Tripwire data, here are the seven top complaints about patching – and suggestions for streamlining the process.Complaint: Patch Management Is Too Time Consuming. No matter the size of the organization, whether it’s a few hundred or over a 1,000 endpoints, patching can take hundreds of hours every month. There’s also added concern if a patch requires a system restart, more so for servers, as significant downtime and lost business is a likely result.

What To Do About It: Deploy a patch management tool that automates the patching process during maintenance windows where the business is least affected, usually during weekends or after hours. It also helps to focus first on mission critical patches and identify areas that are most vulnerable.Complaint: It’s More Than Microsoft And Operating Systems. The patching process isn’t limited to Windows or other operating systems. Third-party applications also have patches and not all the patches are created equal. Vendors like WordPress are relatively simple to update, but Java and Flash are often major pain points.

What To Do About It: Ideally, the patch management tool also operates with major third-party vendors. It’s imperative to identify what software is on which devices. If a department or collection of devices share similar software, then grouping the patches together will save time and resources.
Complaint: Java And Flash, The Problem Children. Two of the largest contributors to patch fatigue are Java and Flash because they are typically bundled with other products. Bundling creates version control issues as it’s difficult to know which patches for Java and Flash were deployed to which devices.

What To Do About It: Having an inventory tool is the best way to manage this issue. Properly scanning each device for the software and software version will enable proper patch deployment and remove guesswork.Complaint: Structured Scheduling And Critical Fixes. Patch Tuesday is Microsoft’s monthly release cycle – always the second Tuesday of the month – providing updates for its catalogue of products. While many IT managers would rather have critical fixes released on an as-created basis, the schedule has eased the burden for many IT managers. Companies like Apple, however, release on an intermittent basis, so if the environment has various operating systems, there’s a greater challenge.

What To Do About It: Get on a schedule. The schedule doesn’t have to match Microsoft’s, though many IT departments implement a Patch Saturday. It’s recommended to take one period during the month to patch devices. Rotating through groups of devices for less-critical patches helps spread the workload. Patching needs to take place quarterly at a minimum, otherwise it’s too dangerous for network security.Complaint: What Version Is This? Windows 10 Branching. Microsoft’s new strategy for Windows 10 involves updating the OS in two different fashions. Long-term servicing branch (LTSB) is the familiar Windows update with security updates and bug fixes, but alternatively customers can use the current branch (CB), which includes new features. New features help end-users, but testing and possible system downtimes are the most immediate drawbacks.

What To Do About It: Test before updating to the CB. If the business has legacy applications tied to older OS versions, then updating to the current branch is probably unadvisable. Staying up to date is important, but not at the cost of doing business.Complaint: Don’t Deploy Every Patch. The Common Vulnerability Scoring System (CVSS) is an industry standard methodology to classify how critical a patch is to a device. But what matters most is how critical a patch is to a device in the business network. Many patches can be ignored due to vendor-issued severity, and conversely, patches not rated highly among most devices could be critical to the environment.

What To Do About It: Controlling the selection of missing updates, especially those with serious consequences if not deployed, lessens the potential impact. A patch management tool that also identifies patches and gives greater clarity limits the strain.

Complaint: Patching And Vulnerability Management. Patching and vulnerabilities are frequently intermingled terms, but they are not interchangeable. Even after patching, there are still vulnerabilities that may exist in the network and it’s important to identify where these potential pitfalls exist, typically in legacy applications and older OS versions.

What To Do About It: Patching is the first step for securing an IT network, but the job hardly stops there. Gaining a thorough understanding of the IT network through accurate reporting will identify areas of concern. It’s also important to remove discontinued products; this alone mitigates many problems. But until devices begin self-upgrading or self-patching, it will continue to fall to the IT manager to discover the best way to manage each challenge and relieve the many headaches associated with patching fatigue.

This article was originally posted on Information Week’s Dark Reading.